October 25, 2020

BitJackass Diary Part 4

Hacks of official sites and github profiles of cryptocurrency projects occur quite often, through that malicious code is spreading. As a result, a loss of cash. Redistributable software is often replaced. Usually an attack is carried out on one of the network nodes, then data is spoofed. There are several ways to protect against such an attack. A PGP signature is considered verified.

PGP signatures are proof thatdistributed files were signed by the owner of the signature key. For example, if the site https://electrum.org was hacked and the source files were replaced, the signature verification will fail because the attacker will not be able to create valid signatures.

We offer you a way to verify the PGP signature, using the Electrum wallet as an example.

This method can also be used to verify software signatures of other cryptocurrency projects.

1) Download and install the Kleopatra program (certificate manager and universal graphical interface to cryptographic algorithms)

Click Search on the server, enter Thomas Voegtlin fingerprint in the search bar

Today's famous Fingerprint Thomas Voegtlin
6694 D8DE 7BE8 EE56 31BE D950 2BD5 824B 7F94 70E6
(Source: youtube video https://www.youtube.com/watch?v=7D83IpdiF-U)

BitJackass Diary Part 4

2) Then we select the result and click the “Import” button, as a result, the list of certificates should look like this:

BitJackass Diary Part 4

3) Next, go to the link https://electrum.org/#download

4) Download the Electrum distribution and the signature file in one folder

The signature file can be downloaded as follows:

BitJackass Diary Part 4

5) We return to the Kleopatra program, click on the “Decrypt and Verify” tab, select the previously saved .asc signature file

We get the result:

BitJackass Diary Part 4

Test Result (Thomas Voegtlin (https://electrum.org) <[email protected]> (2BD5 824B 7F94 70E6)) indicates that the file was signed with the fingerprint PGP key

6694 D8DE 7BE8 EE56 31BE D950 2BD5 824B 7F94 70E6,

which belongs to one of the creators of Electrum - Thomas Voegtlin.

This means that the Electrum wallet installation file is genuine.

If the verification of the signature did not succeed, then you would see another message - “Invalid signature”. So, the Electrum installation file is compromised.

Regards, BitJackass.